What Is Post-Quantum Cryptography?

Quantum computers, once they achieve cryptanalytically relevant capabilities, pose a significant threat to digital security. A sufficiently powerful quantum computer, known as a Cryptanalytically Relevant Quantum Computer (CRQC), will render most of today's public-key cryptography obsolete. This moment is often called “Q-Day” and market experts estimate it will arrive sometime between 2030 and 2035.

Sensitive data encrypted today could become vulnerable tomorrow to quantum-powered decryption. This threat has brought about concerns around "harvest now, decrypt later" (HNDL), where adversaries collect encrypted data now to decrypt it when quantum computers become available. Attackers are siphoning off and storing massive amounts of encrypted data today, waiting for quantum computers to be available to break the encryption and unlock the sensitive information within. Data with a long shelf life—like intellectual property, government secrets, and personal health records—is especially at risk. Understanding and adopting PQC is vital to safeguarding critical data, protecting privacy, and maintaining trust in digital systems.

When quantum computers become powerful enough to break current public-key encryption, all existing systems reliant on RSA (a widely used public key algorithm), Elliptic Curve Cryptography (ECC), and Diffie-Hellman key exchange methods will be vulnerable, rendering them vulnerable to attacks leveraging quantum computers to break those classical algorithms in order to access sensitive data and communications. Governments, businesses, and individuals will face risks of widespread data breaches and compromised systems. 

But PQC ensures that encryption standards evolve to meet this new challenge, protecting secure communications, financial transactions, and digital identities from quantum attacks.

• Harvest now, decrypt later: Threat actors will capture data now and decrypt later when post-quantum computing becomes viable.
• Broken signatures means the loss of secure communications: Today’s encryption standards will be broken in a PQC world.
• Attackers are planning now to leverage quantum computing as part of their overall arsenal: Although quantum computers are not expected until the 2030s, attackers will leverage quantum computing as part of their standard TTPs.
• Organizations need to prepare now: Beginning to adopt post-quantum encryption standards to safeguard data against future decryption threats will be key to securing critical data, protecting privacy, and maintaining trust in digital systems.

Though their names are similar, post-quantum cryptography (PQC) and quantum cryptography are different concepts: 

• Post-quantum cryptography (PQC) focuses on creating new algorithms that can run on classical computers but are resistant to attacks from quantum computers. It is a software-based solution designed to replace our current algorithms that will become  vulnerable when quantum computers are available for wider use.
• Quantum cryptography uses the principles of quantum mechanics itself to secure communication, most notably through Quantum Key Distribution (QKD). It relies on physics, not mathematical complexity, and requires specialized quantum hardware to operate.

Quantum computing threats arise from the unique ability of quantum computers to solve complex math problems exponentially faster than classical computers. This includes breaking traditional public-key encryption systems, potentially exposing sensitive emails, bank accounts, intellectual property, and national security data. These threats disproportionately impact asymmetric cryptographic systems, which are foundational to many secure internet communications. As quantum computing advances, the necessity to transition to quantum-resistant cryptography becomes urgent to mitigate these risks.
The failure of current encryption standards would be a seismic event for data security and privacy. The impact includes:

• Compromised communications: Secure web browsing (HTTPS), VPNs, and encrypted messaging would be broken, allowing for widespread eavesdropping. For example, attackers on public Wi-Fi networks can capture users’ encrypted data and decrypt it with quantum computing.
• Data breaches: Decades of stored, encrypted data could be unlocked, exposing sensitive personal, financial, and corporate information.
• Digital trust evaporation: The systems that verify identity and secure transactions online, such as digital signatures, would no longer be trustworthy.
• Economic and national security risks: Critical infrastructure, financial systems, and national security communications would be vulnerable to attack and espionage.

Organizations can start their journey to becoming quantum-resistant today. Key steps include:

Plan and adopt a quantum-safe strategy

Use a hybrid cryptography approach during the transition by pairing quantum-resistant algorithms with existing ones to maintain security and compatibility. Monitor emerging standards and select PQC algorithms recommended by NIST, ISO, and ETSI. Update internal cybersecurity, data security, and acquisition standards to require PQC support. Assign a clear owner or team to lead implementation and keep the transition on track.

Inventory cryptographic-dependent assets

Document the cryptographic algorithms, keys, certificates, and protocols used across systems and applications. Prioritize business-critical IT assets for transitioning to PQC-safe ciphers and signatures. Identify where public-key cryptography is used and flag those systems as quantum-vulnerable. Catalog the most sensitive data at risk from “harvest now, decrypt later” attacks to guide what to protect first.

Implement PQC key exchange

Replace or complement current key exchange mechanisms—such as RSA, Diffie-Hellman, or Elliptic Curve Diffie-Hellman (ECDH)—with new algorithms such as ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism)  that are designed to remain secure in the PQC world.

Implement PQC algorithms

As PQC algorithms become standardized, begin transitioning certificates to PQC-based options. In parallel, improve performance and compatibility by pursuing proxy optimization, such as enabling PQC-secured transport between the client and the proxy.

Governments and organizations worldwide are taking proactive steps to establish regulatory frameworks and compliance mandates regarding PQC. After a multi-year competition to identify the most effective PQC algorithms, the National Institute of Standards and Technology (NIST) began publishing its first finalized PQC standards in 2024. The release of these standards officially started the clock for organizations to begin their migration. 

These cryptographic standards can guide the development and adaptation of quantum-resistant algorithms. Organizations are expected to audit their cryptographic technologies, identify quantum-vulnerable systems, and plan their migration to PQC. 

Government agencies and forward-thinking organizations are now actively working to follow these new guidelines and update their systems to be quantum-resistant. Below are key guidance issued by the Executive Branch of the U.S. Federal Government, NIST and Cybersecurity and Infrastructure Security Agency (CISA):

National Security Memorandum 10 (NSM-10)

Issued by the White House in May 2022, National Security Memorandum 10 (NSM-10) is a policy directive that formally establishes the United States' national strategy for the transition to post-quantum cryptography (PQC).

Key Directives and Mandates

NSM-10 outlines a clear, whole-of-government approach to address this risk. Its key mandates include:

• Mandatory migration to PQC: The memorandum directs all federal agencies to begin the process of migrating their information technology systems to cryptographic algorithms that are resistant to quantum computer attacks.
• Reliance on NIST standards: The transition must be based on the Post-Quantum Cryptography standards being developed and published by the National Institute of Standards and Technology (NIST). NSM-10 sets NIST as the central authority for defining the approved quantum-resistant algorithms for government use.
• Inventory and prioritization: Within 180 days of NIST publishing the new PQC standards, federal agencies were required to provide the Cybersecurity and Infrastructure Security Agency (CISA) with a complete inventory of their IT systems that rely on public-key cryptography. This inventory is crucial for prioritizing the migration of the most sensitive and critical systems, particularly National Security Systems (NSS).
• Agency-level planning: It requires the head of each federal agency to develop and maintain a plan for the transition, designating a lead official to oversee the process.

NIST’s Role and Standards

The U.S. National Institute of Standards and Technology (NIST) published its first set of finalized post-quantum cryptography (PQC) standards in 2024. This publication marks the culmination of a multi-year, global competition to develop and vet cryptographic algorithms capable of withstanding attacks from both classical and future quantum computers

The release of these standards—FIPS 203, FIPS 204, and FIPS 205—officially begins the global migration away from vulnerable public-key cryptography (like RSA and ECC) and establishes the technical foundation for a secure, quantum-resistant digital ecosystem.

Here are the key components of the finalized standards:

For Public-Key Encryption and Key Establishment: ML-KEM

The standard designed to protect data in transit (e.g., in a TLS session for a website) and establish secure communication channels is FIPS 203: Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM)

Purpose and role:

ML-KEM is the designated replacement for key-establishment algorithms like Elliptic Curve Diffie-Hellman (ECDH) and RSA encryption. A Key-Encapsulation Mechanism (KEM) is used to securely generate and exchange a shared secret key between two parties, which can then be used to encrypt all subsequent communication.

Key characteristics:

• General purpose: It is designed to be the primary, workhorse algorithm for most public-key encryption needs.
• Performance: It offers a strong balance of security, efficiency, and relatively small key sizes, making it suitable for a wide range of applications, from web servers to embedded devices.

For Digital Signatures: ML-DSA and SLH-DSA

Digital signatures are essential for verifying identity and ensuring data integrity (e.g., confirming the authenticity of software updates or a user's identity). NIST finalized two distinct standards for this purpose, offering both a primary option and a highly conservative alternative.

The primary digital signature standard is FIPS 204: Module-Lattice-based Digital Signature Algorithm (ML-DSA)

Purpose and role:

ML-DSA is intended to be the main replacement for today's most common signature algorithms, such as RSA signatures and the Elliptic Curve Digital Signature Algorithm (ECDSA).

Key characteristics:

• Efficiency: Like ML-KEM, it provides a strong balance of security with good performance and compact signature sizes, making it the default choice for most use cases.
• Broad Applicability: It is expected to be widely adopted for software signing, certificate issuance, and user authentication.

An alternative digital signature standard FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA)

Purpose and role:

SLH-DSA provides a powerful alternative to the lattice-based algorithms. Its inclusion reflects a "belt and suspenders" approach to security.

Key characteristics:

• Different security foundation: Unlike the lattice-based algorithms (Kyber and Dilithium), the security of SPHINCS+ relies only on the well-understood strength of cryptographic hash functions. This provides cryptographic diversity; if an unexpected weakness were ever discovered in lattice-based cryptography, systems could fall back on this entirely different mathematical foundation.
• Conservative choice: Because of its reliance on hash functions, it is considered a very conservative and highly trusted choice. The main trade-offs are significantly larger signature sizes and slower performance compared to ML-DSA. It is therefore recommended for use cases where these trade-offs are acceptable, such as signing firmware or high-value digital assets.

Our customers' trust is dependent upon the efficacy of the security capabilities we provide. To prepare for a PQC world, we have embraced a proactive approach to address quantum computing challenges. Here are the key initiatives we have started at Zscaler to tackle the challenges of PQC:

• Quantum-safe cryptography readiness: Zscaler tracks PQC standards and validates ML-KEM for cloud rollout.
• Hybrid cryptographic systems: Zscaler supports hybrid ECC + PQC to reduce transition risk and add assurance.
• Scalable implementation: Zscaler’s global gateway scale enables PQC protections with minimal disruption.
• Global collaboration and compliance: Zscaler works with NIST and regulators to align best practices and compliance.
• Customer and partner enablement: Zscaler provides guidance, tools, and feedback loops to speed PQC readiness.
• Innovation and future-proofing: Zscaler builds crypto-agility to adopt evolving PQC standards across platform.

Future-proof your cybersecurity! Request a demo of Zscaler's Zero Trust Exchange to secure your organization from quantum threats today.